Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
6-2021
Abstract
Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target's virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine.
Keywords
Out-of-VM Introspection, Cache, Malware Analysis, Non-intrusiveness, Transparency
Discipline
Databases and Information Systems | Information Security
Research Areas
Information Systems and Management
Publication
Proceedings of the 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Taipei, Taiwan, 2021 June 21-24
First Page
326
Last Page
337
ISBN
978166543572721
Identifier
10.1109/DSN48987.2021.00045
Publisher
IEEE
City or Country
Taipei, Taiwan
Citation
SU, Chao; DING, Xuhua; and ZENG, Qinghai.
Catch you with cache: Out-of-VM introspection to trace malicious executions. (2021). Proceedings of the 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Taipei, Taiwan, 2021 June 21-24. 326-337.
Available at: https://ink.library.smu.edu.sg/sis_research/6737
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.